Group signature with local revocation verification with capacity for lifting anonymity

ABSTRACT

The cryptographic scheme subdivides time into periods with an index j=0, 1, 2, etc. A public key indicates elements u and v of a first cyclic group G 1  of prime order p and, for each period j, an integer s j  between 0 and p−1 and elements g 1,j  of the group G 1  and g 2,j , w j  and h j  of another cyclic group G 2  of order p. The private key of a member of the group indicates an integer x i  between 0 and p−1 and, for each period j, an element A i,j  of the group G 1  such that A i,n =[A i,n-1 /g 1,n-1 ] 1/(x     i     −s     n     )  for 1≦n≦j. To sign a message during a period j≧0, the member selects two integers α and β between 0 and p−1, calculates T 1 =u α , T 2 =A i,j ·v α , S 1 =g 2,j   β  and S 2 =e(A i,j , h j ) β  where e(., .) is a bilinear map of G 1 ×G 2  onto G T , and determines according to the message the data that justify the fact that the elements T 1 , T 2 , S 1  and S 2  are correctly formed with knowledge of the private key of the member for the period with index j.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is the U.S. national phase of the International PatentApplication No. PCT/FR2009/052562 filed Dec. 16, 2009, which claims thebenefit of French Application No. 08 59109 filed Dec. 30, 2008, theentire content of which is incorporated herein by reference.

FIELD OF THE INVENTION

This invention relates to a cryptographic method, and in particular tothe Verifier-Local Revocation (VLR) group signature techniques.

BACKGROUND

A group signature scheme allows members to sign messages anonymously onbehalf of the group. A person examining the signature can then obtainthe assurance that the signer is a member of the group, without beingable to identify which member it is. It is often implemented so that anauthorized authority remains able to lift the anonymity of any signaturewhen needed.

To allow revocation of a group member, the scheme must also havemechanisms to prevent a member from signing after such a revocation. Twomain techniques exist:

-   -   one which requires updating the keys of all non-revoked members        and updating the public key for the system,    -   the other which requires the verifier to test whether or not a        given signature was generated from a revoked key. A revocation        list then contains elements characterizing the set of these        revoked keys.

In certain contexts, it is undesirable to require the users to connectregularly to the database of public elements in order to update theirkeys, as this operation can be costly in terms of computation.

The second technique, called group signature with verifier-localrevocation (VLR), is considered here. It typically makes use ofalgorithms having the following functionalities:

-   -   generation of keys, namely a public key shared by all        protagonists of the scheme, respective private keys of the        various members of the signer group, a secret key of the group        manager, and a secret key of the revocation manager;    -   signature, allowing each member having a private key to sign        anonymously for the group;    -   revocation, allowing a revocation manager to add a member to the        list of revoked members;    -   signature verification, allowing anyone having the public key to        ensure that a given signature does indeed come from a        non-revoked member of the signer group (without being able to        determine which member);    -   opening a signature . . . .

A VLR technique for group signature that does not have the ability tolift anonymity was introduced by Boneh and Shacham in “Group Signatureswith Verifier-Local Revocation”, Proceedings of the 11^(th) ACMConference on Computer and Communications Security, Washington D.C.,USA, ACM, 2004, pp. 168-177. Aside from the inability to lift anonymity,which is a desirable property in many cases, this system has thelimitation of not maintaining the anonymity of prior signatures(backward unlinkability). This property of maintaining anonymity ensuresthat revoking a member does not compromise the anonymity of all previoussignatures of this member. This property is often desirable,particularly when the revoked member is honest.

In “Verifier-Local Revocation Group Signature Schemes with BackwardUnlinkability from Bilinear Maps”, IEICE Transactions on Fundamentals ofElectronics, Communications and Computer Sciences, 2007, E90-A(1), pp.65-74, Nakanishi and Funabiki proposed a variation in which time isdivided into a number of periods with the number being fixed at systemcreation. Each period has a corresponding element in the public key ofthe system (necessary to produce a signature), and to each revokedmember there corresponds as many elements in the revocation list asthere are periods. This technique, which also does not include thelifting of anonymity, has the disadvantage that a revoked key cancontinue to be used to produce group signatures as long as the currentperiod has not ended. It is therefore necessary to compromise betweenthe length of a period and the size of the public elements andrevocation list.

There is no current technique that provides a strong secrecypreservation property, in which an adversary accessing the private keyof a member of the signer group is unable to determine which signatureswere made by this member.

In “Shorter Verifier-Local Revocation Group Signatures From BilinearMaps” (Lecture Notes in Computer Science, Cryptology and NetworkSecurity, Volume 4301, 2006, pp. 126-143), Zhou and Lin presented a VLRgroup signature scheme allowing the lifting of anonymity. An anonymitylifting manager, which holds a secret key, is then able to partiallyreveal the private key of the member who signed a given message. Themechanism for opening or lifting anonymity in this article requires anexhaustive search among the members of the group, making this anunattractive system.

SUMMARY

The present invention aims to offer a cryptographic system having theproperty of strong secrecy preservation. In addition, it aims toauthorize revocations within a constant period of time withoutsubsequently allowing identification of the signatures of the revokedmember.

A cryptographic method is proposed which uses a cryptographic schemebased on cyclic groups G₁, G₂ and G_(T) of order p, two respectivegenerator elements g₁ and g₂ of the groups G₁ and G₂, and a bilinear mape(., .) of G₁×G₂ onto G_(T), where p indicates a prime number. In thismethod, time is subdivided into successive periods of index j=0, 1, 2,etc. A public key has components representative of elements u and v ofthe group G₁ and, for each period of index j, components representativeof an integer s_(j) between 0 and p−1, of an element g_(1,j) of thegroup G₁, and of elements g_(2,j), w_(j) and h_(j) of the group G₂. Afirst secret key includes an integer γ between 0 and p−1 such thatw_(j)=g_(2,j) ^(γ), g_(1,0)=g₁ ^(1/(γ+s) ⁰ ⁾, g_(2,0)=g₂ ^(1/(γ+s) ⁰ ⁾and, for j>0, g_(1,j)=g_(1,j-1) ^(1/(γ+s) ^(j) ⁾ and g_(2,j)=g_(2,j-1)^(1/(γ+s) ^(j) ⁾. A second secret key includes an integer ok between 0and p−1 such that v=u^(ok). A third secret key includes an integer tkbetween 0 and p−1 such that h_(j)=g_(2,j) ^(tk). Each member of a signergroup has a private key with a component representative of an integerx_(i) between 0 and p−1 and, for each period of index j, a componentrepresentative of an element A_(i,j) of the group G₁ such thatA_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i) ^(−s) ^(n) ⁾ for any index nbetween 1 and j.

The cryptographic method comprises a signature procedure in which saidmember of the signer group obtains a signature for a message during aperiod of index j≧0, by executing the steps of:

-   -   choosing two integers α and β between 0 and p−1;    -   calculating elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the group        G₁;    -   calculating an element S₁=g_(2,j) ^(β) of the group G₂;    -   calculating an element S₂=e(A_(i,j), h_(j))^(β) of the group        G_(T);    -   calculating proof data as a function of the message, to confirm        that the elements T₁, T₂, S₁ and S₂ are correctly formed with        knowledge of the private key of the member of the signer group        for the period of index j; and    -   including the elements T₁, T₂, S₁, S₂ and the proof data into        the signature of the message.

In an embodiment, the element A_(i,0) of the group G₁ is equal to g₁^(1/(γ+x) ^(i) ⁾.

In another embodiment, a procedure is provided for registering memberswith a supervisory authority holding the first secret key. The privatekey of a member of a signer group then has components representative (1)of x_(i), (2) of another integer y_(i) between 0 and p−1 which is onlyknown to the member who is being registered, and (3) of A_(i,j) whereA_(i,0)=g₁ ^(1/(γ+x) ^(i) ⁾·v^(y) ^(i) ^(/(γ+x) ^(i) ⁾.

The third secret key is used for member revocation from the signergroup. The cryptographic method can thus comprise a procedure for therevocation of members from the signer group by an authority holding thethird secret key and maintaining an updated revocation list applicableto a current period and containing k−1 elements of the group G₁ afterrevocation of k−1 members of the signer group, where k is an integer atleast equal to 1. The revocation during a period of index j′ of a k^(th)member of the signer group for whom the private key contains an elementA_(i(k),j′) of the group G₁ for the period of index j′ then comprisesadding an element grt[i(k), j′]=A_(i(k),j′) ^(tk) of the group G₁ to therevocation list applicable to the period of index j′.

A procedure can additionally be provided for the modification of therevocation list by an authority holding the first secret key, to beexecuted at each change of period in the time subdivision. Therevocation list modification when advancing from a period of index j″−1to the next period of index j″ for an integer j″≧1 then comprises, forany element grt[i(l), j″−1] of the group G₁ belonging to the revocationlist applicable to the period of index j″−1, including the elementgrt[i(l), j″]=grt[i(l), j″−1]^(1/(γ+s) ^(j″) ⁾ of the group G₁ into therevocation list applicable to the next period of index j″.

Using such revocation lists, a signature verification procedure can beapplied by an entity holding the public key. The verification of asignature, including the elements T₁, T₂ of the group G₁ and S₁, S₂ ofthe group G₂ and proof data, attached to a message and presumed to beobtained during a period of index j, takes into account the revocationlist applicable to the period of index j and comprises the steps of:

-   -   determining that the signature comes from a member of the signer        group if the proof data confirm that the elements T₁, T₂, S₁ and        S₂ are correctly formed as a function of the message with        knowledge of a private key valid for the period of index j; and    -   accepting the signature as coming from a non-revoked member of        the signer group if e(grt[i(l), j], S₁)≠S₂ for any element        grt[i(l), j] of the revocation list applicable to the period of        index j.

The second secret key is used to allow anonymity lifting. Thecryptographic method can thus comprise a procedure for an authorityholding the second secret key to lift the anonymity of the signer (alsoreferred to as the signatory) of a message, the anonymity lifting basedon a signature of the message, including the elements T₁, T₂ of thegroup G₁, comprising calculating the element A=T₂·T₁ ^(−ok) of the groupG₁.

Another aspect of the invention relates to a cryptographic device forimplementing the above method, using a cryptographic scheme based oncyclic groups G₁, G₂ and G_(T) of order p, two respective generatingelements g₁ and g₂ of the groups G₁ and G₂, and a bilinear map e(., .)of G₁×G₂ onto G_(T), where p indicates a prime number, time beingsubdivided into successive periods of index j=0, 1, 2, etc. A public key(gpk_(j)) has components representative of elements u and v of the groupG₁ and, for each period of index j, components representative of aninteger s_(j) between 0 and p−1, of an element g_(1,j) of the group G₁,and of elements g_(2,j), w_(j) and h_(j) of the group G₂. A private keyof a member of a signer group possessing the cryptographic device has acomponent representative of an integer x_(i) between 0 and p−1 and, foreach period of index j, a component representative of an element A_(i,j)of the group G₁ such that A_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i)^(−s) ^(n) ⁾ for any index n between 1 and j. The cryptographic devicecomprises a calculator for obtaining a signature for a message during aperiod of index j≧0, by selecting two integers α and β between 0 andp−1, and calculating elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the groupG₁, an element S₁=g_(2,j) ^(β) of the group G₂, an element S₂=e(A_(i,j),h_(j))^(β) of the group G_(T) and, as a function of the message, proofdata confirming that the elements T₁, T₂, S₁ and S₂ are correctly formedwith knowledge of the private key of the member of the signer group forthe period of index j, the signature of the message including theelements T₁, T₂, S₁, S₂ and the proof data.

Yet another aspect of the invention relates to a cryptographic unitusing a cryptographic scheme as presented above and comprising arevocation list manager for maintaining an updated revocation listapplicable to a current period using a secret key, i.e. the third secretkey. The revocation list manager comprises a calculator for receiving,during a period of index j′, a revocation list containing k−1≧0 elementsof the group G₁ and a revocation request for a k^(th) member of thesigner group for whom the private key contains an element A_(i(k),j′) ofthe group G₁ for the period of index j′, k being an integer at leastequal to 1, and for producing an updated revocation list applicable tothe period of index j′, to which has been added the element grt[i(k),j′]=A_(i(k),j′) ^(tk) of the group G₁.

Yet another aspect of the invention relates to a cryptographic unitusing a cryptographic scheme as presented above and comprising anotherrevocation list manager for forming a revocation list applicable to anew period of index j″ using a secret key, i.e. the first secret key,and based on a revocation list applicable to the previous period ofindex j″−1, where j″ is an integer at least equal to 1. The revocationlist applicable to the new period of index j″ comprises a respectiveelement grt[i(l), j″]=grt[i(l), j″−1]^(1/(γ+s) ^(j″) ⁾ of the group G₁for any element grt[i(l), j″−1] of the group G₁ belonging to therevocation list applicable to the previous period of index j″−1.

Yet another aspect of the invention relates to a verification device forverifying the signatures produced using a cryptographic scheme aspresented above. This verification device has access to the public keyfor a period of index j as well as to a revocation list applicable tothe period of index j and composed of k elements grt[i(l), j] of thegroup G₁, where k is a positive integer or zero. It comprises acalculator for receiving a signature attached to a message and presumedto be obtained during a period of index j, the signature includingelements T₁, T₂ of the group G₁ and S₁, S₂ of the group G₂ and proofdata, for determining that said signature comes from a member of thesigner group if the proof data confirm that the elements T₁, T₂, S₁ andS₂ are correctly formed as a function of the message with knowledge of aprivate key valid for the period of index j, and for accepting thesignature as coming from a non-revoked member of the signer group ife(grt[i(l), j], S₁)≠S₂ for any element grt[i(l), j] of the revocationlist applicable to the period of index j.

Yet another aspect of the invention relates to a cryptographic unitusing a cryptographic scheme as presented above and comprising ananonymity lifting server using a secret key, i.e. the second secret key,for receiving a signature for a message, including the elements T₁, T₂of the group G₁, and producing the element A=T₂·T₁ ^(−ok) of the groupG₁.

Other aspects of the invention propose computer programs for thecryptographic devices and units as defined above. These programscomprise instructions for executing the steps of the signatureprocedure, the revocation procedure, the revocation list modificationprocedure, the signature verification procedure, and the anonymitylifting procedure of the cryptographic methods, during their executionby a processing unit of the cryptographic device or unit.

BRIEF DESCRIPTION OF THE DRAWINGS

Other features and advantages of the invention will become apparent fromreading the following description of some non-limiting exemplaryembodiments, with reference to the attached drawings in which:

FIG. 1 is a block diagram illustrating the entities involved in a VLRgroup signature method having a capacity for lifting anonymity;

FIGS. 2 to 9 are diagrams illustrating the inputs and outputs of theseentities in different phases of the cryptographic method; and

FIG. 10 is a diagram illustrating a procedure for registering thesigners in an embodiment of the cryptographic method.

DETAILED DESCRIPTION

The cryptographic method illustrated in FIG. 1 involves four authoritieswhich, in the example illustrated, use four distinct cryptographic units1, 3, 4 and 6:

-   -   a supervisory authority for one or more signer groups, for which        unit 1 incorporates a group manager storing a base key γ in a        secret manner;    -   an membership revocation authority for one or more signer        groups, for which unit 3 incorporates a revocation manager        storing a revocation key tk in a secret manner;    -   an authority for updating revocation lists, for which unit 4        incorporates a revocation list manager storing the base key γ in        a secret manner;    -   an authority for lifting the anonymity of message signers, for        which unit 6 incorporates a anonymity lifting server storing an        anonymity lifting key ok in a secret manner.

In practice, several of these authorities can be collocated in one unit.Typically, the authorities for supervising the groups and updating therevocation lists belong to the same unit so that the key γ is onlystored in one location. The four units 1, 3, 4, 6 represented in FIG. 1could even be a single unit.

FIG. 1 also shows a signer group 2 having signatory members who possesscryptographic devices 2 ₁, . . . , 2 _(i), . . . which each store arespective private key gsk[1, j], . . . , gsk[i, j], . . . . The privatekeys gsk[i, j] of the users are indexed by an integer j which denotessuccessive periods of time incorporated in the cryptographic scheme(j=0, 1, 2, etc.).

One or more devices 5 having access only to the public parameters areable to verify the signatures σ attached to messages M by members of thegroup 2. The verification concerns the validity of the signature and thenon-revocation of its author.

The group manager 1 is responsible for generating and publishing thepublic key gpk_(j) related to each period of index j in the timesubdivision. If it is implemented in the same unit as the revocationauthority 3 and the anonymity lifting authority 6, the group manager 1also generates the secret keys tk and ok for the membership revocationand anonymity lifting authorities. The group manager 1 then generatesthe respective private keys gsk[1, 0], . . . , gsk[i, 0], . . . for themembers of the group for the period of index j=0 and distributes them tothese members.

The cryptographic scheme employed refers to three cyclic groups G₁, G₂and G_(T) (two or three of them can be the same). The cyclic groups G₁,G₂ and G_(T) are of prime order p. The respective generator elements forthe groups G₁ and G₂ are denoted as g₁ and g₂, connected to each otherby an isomorphism ψ (g₁=ψ(g₂)). The scheme also uses a bilinear map e(.,.) of G₁×G₂ onto G_(T). Bilinear is understood to mean that for any pairof integers (a, b), any element u₁ of G₁, and any element u₂ of G₂, wehave e(u₁ ^(a), u₂ ^(b))=e(u₁, u₂)^(ab). One of the possible examples ofthis bilinear map e(., .) is the Tate pairing.

FIG. 2 illustrates an example of the initial generation of keys by thegroup manager 1. The group manager 1 chooses element g₂ in the group G₂and takes g₁=ψ(g₂). It also chooses (for example randomly) the integer γbetween 0 and p−1 to form the base key which it keeps secret.

To generate the public key gpk₀=(u, v, s₀, w₀, h₀, g_(1,0), g_(2,0)),relative to the period of index j=0, the group manager 1 also chooses(for example randomly) an element u in the group G₁ and an integer s₀between 0 and p−1. It calculates the elements g_(1,0) of the group G₁and g_(2,0), w₀ of the group G₂ as follows:g _(1,0) =g ₁ ^(1/(γ+s) ⁰ ⁾g _(2,0) =g ₂ ^(1/(γ+s) ⁰ ⁾w ₀ =g _(2,0) ^(γ)

The group manager 1 sends the element g_(2,0) to the membershiprevocation authority 3 so that the authority can calculate the elementh₀ of the group G₂ as follows:h ₀ =g _(2,0) ^(tk)after having randomly selected the integer tk between 0 and p−1. Therevocation authority 3 stores its key tk in a secret manner and returnsthe element h₀ to the group manager 1 for publishing the public keygpk₀.

The group manager 1 also sends the element u to the anonymity liftingauthority 6 so that said authority can calculate the element v of thegroup G₁ as follows:v=u ^(ok)after randomly selecting the integer ok between 0 and p−1. The anonymitylifting authority 6 stores its key ok in a secret manner and returns theelement v to the group manager 1 for publishing the public key gpk₀.

The parameters u and v of the public key gpk₀ are permanent, while theother parameters s₀, w₀, h₀, g_(1,0) and g_(2,0) will be updated at eachnew period of index j>0. To do this (FIG. 3), the group manager 1selects a new integer s_(j) between 0 and p−1 then calculates theelements g_(1,j) of the group G₁ and g_(2,j), w_(j) and h_(j) of thegroup G₂ as follows:g _(1,j) =g _(1,j-1) ^(1/(γ+s) ^(j) ⁾g _(2,j) =g _(2,j-1) ^(1(γ+s) ^(j) ⁾w _(j) =g _(2,j) ^(γ)h _(j) =g _(2,j) ^(tk)

The new public key for the period of index j is then gpk_(j)=(u, v,s_(j), w_(j), h_(j), g_(1,j), g_(2,j)). The periods j can be of anyduration. This is for example decided by the group manager 1.

To generate the private key gsk[i, 0]=(x_(i), A_(i,0)) for a member irelative to the period of index j=0, the group manager 1 selects (forexample randomly) an integer x_(i) between 0 and p−1 and calculates theelement A_(i,0)=g₁ ^(1/(γ+x) ^(i) ⁾ of the group G₁. For each period ofindex j>0, the private key becomes gsk[i, j]=(x_(i), A_(i,j)), where theelement A_(i,j) of the group G₁ is given by:A _(i,j) =[A _(i,j-1) /g _(1,j-1)]^(1/(x) ^(i) ^(−s) ^(j) ⁾  (1)

After distribution of the initial key gsk[i, 0]=(x_(i), A_(i,0)), thecryptographic device 2 _(i) for the member having successive public keysgpk₀, . . . , gpk_(j) (or at least g_(1,0), . . . , g_(1,j-1) and s₁, .. . , s_(j)) is thus able to obtain his private key gsk[i, j]=(x_(i),A_(i,j)) for any period of index j, by the process illustrated in FIG. 4where the calculator 20 applies the recursionA_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i) ^(−s) ^(n) ⁾ to each newperiod with an integer index n≧1 up to j.

The signature of a message M, generated locally in the cryptographicdevice 2 _(i) of a member or received from the outside, can take placeas illustrated in FIG. 5. First, the calculator 25 for the device 2 _(i)finds a value for the element A_(i,j) of the private key of the signingmember relative to the period j in which the signature took place, by asearchable and decodable encryption technique, to produce a cryptogram(T₁, T₂, S₁, S₂). Then the calculator 25 calculates proof data Φ as afunction of the message M to prove that the cryptogram (T₁, T₂, S₁, S₂)is correctly formed with knowledge of the private key gsk[i, j]=(x_(i),A_(i,j)) of the member for the signature period of index j. The proofdata Φ advantageously consist of a zero-knowledge proof of knowledge(ZKPOK).

The cryptogram (T₁, T₂, S₁, S₂) is composed of two elements T₁, T₂ ofthe group G₁, an element S₁ of the group G₂, and an element S₂ of thegroup G_(T), which the cryptographic device 2 _(i) calculates afterhaving randomly selected two integers α and β between 0 and p−1, asfollows:T ₁ =u ^(α)T ₂ =A _(i,j) ·v ^(α)S ₁ =g _(2,j) ^(β)S ₂ =e(A _(i,j) ,h _(j))^(β)

The ZKPOK serving as proof data Φ can be established in various wayswhich are well known in cryptographic techniques (for example, see “Onthe Fly Authentication and Signature Schemes Based on Groups of UnknownOrder”, M. Girault, G. Poupard, J. Stern, Journal of Cryptology, Vol.19, pp. 463-487, 2006; or “Efficient Identification and Signatures forSmart Cards”, K. P. Schnorr, Crypto '89, Vol. 435, Lecture Notes inComputer Science, pp. 239-252, Springer, 1989). In particular, the ZKPOKΦ may prove knowledge of the quintuplet (x_(i), z, α, β, δ), wherez=x_(i)·α and δ=α·β, such that:T ₁ =u ^(α)e(T ₂ ,g _(2,j))^(x) ^(i) ·e(v,w _(j))^(−α) ·e(v,g _(2,j))^(−z) =e(g_(1,j) ,g _(2,j))/e(T ₂ ,w _(j))T ₁ ^(β) =u ^(δ)S ₁ =g _(2,j) ^(β)e(T ₂ ,h _(j))^(β) =S ₂ ·e(v,h _(j))^(δ)

One of the possible examples consists of the calculator 25 calculatingthe ZKPOK in four steps:

-   -   (E1) randomly selecting integers r_(x) _(i) , r_(z), r_(α),        r_(β) and r_(δ) between 0 and p−1;    -   (E2) calculating the following elements:

t₁ = u^(r_(α))t₂ = e(T₂, g_(2, j))^(r_(x_(i))) ⋅ e(v, w_(j))^(−r_(α)) ⋅ e(v, g_(2, j)) − r_(z)t₃ = T₁^(r_(β))/u^(r_(δ)) t₄ = g_(2, j)^(r_(β))t₅ = e(T₂, h_(j))^(r_(β))/e(v, h_(j))^(r_(δ))

-   -   (E3) calculating a digest c by applying a hash function        to the concatenation of the elements T₁, T₂, S₁, S₂, t₁, t₂, t₃,        t₄, t₅ and of the message M expressed in binary, which is c=        (T₁∥T₂∥S₁∥S₂∥t₁∥t₂∥t₃∥t₄∥t₅∥M)    -   (E4) calculating the following elements:        s _(x) _(i) =r _(x) _(i) −c·x _(i)        s _(z) =r _(z) −c·z        s _(α) =r _(α) −c·α        s _(β) =r _(β) −c·β        s _(δ) =r _(δ) −c·δ

The ZKPOK delivered by the calculator 25 of the cryptographic device 2_(i) is then Φ=(c, s_(x) _(i) , s_(z), s_(α), s_(β), s_(δ)). And thesignature σ obtained in this manner for the message M is σ=(T₁, T₂, S₁,S₂, Φ).

The revocation of a member during a period of index j′≧0 requiresknowing element A_(i,j′) of his private key in effect during the periodof index j′. This is performed by the revocation manager 3 to which thiselement is submitted by the group manager 1, by the anonymity liftingserver 6 (which determines it by the process described below withreference to FIG. 9), or by the member i who is to be revoked.

The revocation procedure is illustrated by FIG. 6. It adds an element toa revocation list RL_(j′) composed of a certain number of elementsgrt[i(l), j′] of the group G₁. This list is empty when no member hasbeen revoked. The number of members revoked before the currentrevocation is denoted as k−1 (where k is an integer greater than zero).In the procedure illustrated in FIG. 6, the revocation manager 3therefore receives a list RL_(j′) of k−1 elements grt[i(l), j′] for l=1,2, . . . , k−1, as well as the element A_(i,j′) of the key to be revokedduring the period of index j′. A calculator 30 determines grt[i(k),j′]=A_(i(k),j′) ^(tk) and adds it to the list RL_(j′).

The updated list RL_(j′), composed of k elements, is then published bythe authority 3 so that each verification device is aware of it.

When there is a change of period, from the index to the index j″−1 tothe index j″ (j″≧1), the group manager makes available a new public keygpk_(j″) as described above. It also signals to the authority whichupdates the revocation list that a new list RL_(j″) must be formedbecause of the change of period.

This is done by a calculator 40 of the cryptographic unit 4 asillustrated in FIG. 7. This calculator receives the list RL_(j″-1) whichapplied during the previous period as well as the number s_(j″) which ispart of the new public key gpk_(j″). Each element grt[i(l), j″−1] of theprevious list RL_(j″-1) which is replaced with a new element grt[i(l),j″]=grt[i(l), j″−1]^(1/(γ+s) ^(j″) ⁾ of the group G₁ to form therevocation list RL_(j″).

FIG. 8 shows the calculator 50 which will enable a verification device 5to verify the signature σ attached to a message M using the abovescheme. In addition to the signed message (M, σ), the calculator 50 hasaccess to the public key gpk_(j)=(u, v, s_(j), w_(j), h_(j), g_(1,j),g_(2,j)) for the period of index j during which the signature σ ispresumed to have been attached as well as the revocation list RL_(j)which applies for this same period (and if applicable, taking intoaccount the revocations occurring during the current period, afterintervention of the revocation manager 3). The index of period j may beattached to the signature σ or deduced from a timestamp on the messageM. If not, the public elements which the verifier 5 accesses include thekeys gpk_(j) and the lists RL_(j) of the different periods up to thecurrent period, so as to scan the indexes j.

In a first step of the verification, the calculator 50 tests thevalidity of the signature using proof data Φ, which here means seeingwhether the proof data Φ confirm that the elements T₁, T₂, S₁ and S₂ arecorrectly formed as a function of the message M with knowledge of aprivate key gsk[i, j] valid for the period of index j. The signature σwill be recognized as coming from a member of the group 2 if the test ispositive. The test uses well-known techniques for ZKPOK such as thosedescribed in the publications cited above. If the received ZKPOK Φ=(c,s_(x) _(i) , s_(z), s_(α), s_(β), s_(δ)) is calculated by the steps(E1)-(E4) mentioned above, the test can occur in three steps:

-   -   (E′1) calculating the following elements:

d₁ = T₁^(c) ⋅ u^(s_(α))d₂ = [e(g_(1, j), g_(2, j))^(c)/e(T₂, w_(j))] ⋅ e(T₂, g_(2, j))^(s_(x_(i))) ⋅ e(v, w_(j))^(−s_(α)) ⋅ e(v, g_(2, j))^(−s_(z))d₃ = T₁^(s_(β))/u^(s_(δ)) d₄ = S₁^(c) ⋅ g_(2, j)^(s_(β))d₅ = S₂^(c) ⋅ e(T₂, h_(j))^(s_(β))/e(v, h_(j))^(s_(δ))

-   -   (E′2) calculating a digest c′ using the hash function        taking into account the received message M, meaning where c′=        (T₁∥T₂∥S₁∥S₂∥d₁∥d₂∥d₃∥d₄∥d₅∥M)    -   (E′3) concluding that the test is positive if c′=c, and        otherwise negative.

In a second verification step, the calculator 50 examines whether or nota (unidentified) member of the group 2 who has attached a signature σrecognized as valid to the message M has been revoked.

This second step consists of successively considering the elementsgrt[i(l), j] of the group G₁ which appear (if applicable, i.e. if k>0)in the revocation list RL_(j) for l=1, . . . , k, and calculating foreach one the element X_(l) of the group G_(T) using X_(l)=e(grt[i(l),j], S₁). If the case where X_(l)=S₂ is encountered, one can concludethat the signature σ comes from the l^(th) member of the group 2 who hasbeen revoked. If X_(l)≠S₂ for all elements in the revocation listRL_(j′) the signature σ can be accepted as coming from a non-revokedmember of the signer group 2.

To permit lifting the anonymity of the message signer under the controlof the authority authorized to do so, the anonymity lifting server 6comprises a calculator 60 to which the signature σ for this message issubmitted. It is even sufficient to provide it with the elements T₁ andT₂ of this signature σ. The anonymity lifting server 60 has access tothe key ok, so that the calculator 60 can calculate the element A=T₂·T₁^(−ok) of the group G₁.

It can be verified that this element A, constituting the output from theanonymity lifting server 6, is equal to the element A_(i,j) of theprivate key of the member who generated the signature σ during theperiod of index j. By making known this element A=A_(i,j′) the groupmanager 1 is able to reveal who is the signer and if necessary torequest his revocation by the manager 3. One will note that only knowingA=A_(i,j) is insufficient for an adversary to sign in place of thesigner whose anonymity has been lifted, as the parameter x_(i) of hisprivate key is not revealed by the server 6.

In the embodiment described above, the element A_(i,0) of the group G₁belonging to the private key of a member i for the period of index j=0is equal to g₁ ^(1/(γ+x) ^(i) ⁾.

In one variant, A_(i,0)=g₁ ^(1/(γ+x) ^(i) ⁾·v^(y) ^(i) ^(/(γ+x) ^(i) ⁾is used, where the integer y_(i) is selected by the member i between 0and p−1 during a registration procedure such as the one illustrated inFIG. 10.

The registration procedure allows the users who are members of thesigner group to keep the component y_(i) and communicate it to no one.In a first step 10, the cryptographic device 2 _(i) of the memberrandomly selects the integer y_(i) between 0 and p−1, then calculatesthe element t_(i)=v^(x) ^(i) of the group G₁ in step 11. This elementt_(i) is sent to the supervisory authority 1 in a registration request.

If the registration is accepted by the authority 1, it randomly selectsthe integer x_(i) between 0 and p−1 in step 12, then calculates theelement A_(i,0)=(g₁·t_(i))^(1/(γ+x) ^(i) ⁾ of the group G₁ in step 13.The parameters x_(i), A_(i,0) for the private key of the member are sentto him by the authority 1 so that he/she registers his/her key gsk[i,0]=(x_(i), y_(i), A_(i,0)) for the period of index j=0 in step 14.He/she will then be able to update it for subsequent periods usingrecursion (1).

The authority 1 also keeps the element A_(i,0) of the member's key instep 15, and it will be able to update this element A_(i,j) duringsubsequent periods of index j as dictated by the authority 4 whichupdates the revocation list.

When a registration procedure is implemented, the procedures forrevocation, forming the revocation list for a new period j, and liftinganonymity are identical to those described above with reference to FIGS.6, 7 and 9. The signature procedure is adapted to take into account theparameter y_(i) added to the private key. More particularly, the ZKPOK Φis modified to prove knowledge of the sextuplet (x_(i), y_(i), z, α, β,δ), where z=x_(i)·α and δ=α·β, such that:T ₁ =u ^(α)e(T ₂ ,g _(2,j))^(x) ^(i) ·e(v,w _(j))^(−α−y) ^(i) ·e(v,g _(2,j))^(−z)=e(g _(1,j) ,g _(2,j))/e(T ₂ ,w _(j))

T ₁ ^(β) =u ^(δ)S ₁ =g _(2,j) ^(β)e(T ₂ ,h _(j))^(β) =S ₂ ·e(v,h _(j))^(δ)

The ZKPOK thus proves that the cryptogram T₁=u^(α), T₂=A_(i,j)·v^(α),S₁=g_(2,j) ^(β), S₂=e(A_(i,j), h_(j))^(β) is correctly formed withknowledge of the private key gsk[i, j]=(x_(i), y_(i), A_(i,j)) of themember for the signature period of index j. Using standard verificationtechniques, the verification device 5 is responsible for verifying theZKPOK for validating the signature σ.

A typical implementation of the cryptographic method consists ofequipping the calculators 20, 25, 30, 40, 50 and 60 of the entities 2,3, 4, 5 and 6 with programs written in appropriate computer languages,which when executed control the calculations and operations describedabove.

The invention claimed is:
 1. A cryptographic method using acryptographic scheme based on cyclic groups G₁, G₂ and G_(T) of order p,two respective generator elements g₁ and g₂ of groups G₁ and G₂, and abilinear map e of G₁×G₂ onto G_(T), where p indicates a prime number,time being subdivided into successive periods of index j=0, 1, 2, andsuccessive integers, wherein a public key has components representativeof elements u and v of the group G₁ and, for each period of index j,components representative of an integer s_(j) between 0 and p−1, of anelement g_(1,j) of the group G₁, and of elements g_(2,j), w_(j) andh_(j) of the group G₂, wherein a first secret key includes an integer γbetween 0 and p−1 such that w_(j)=g_(2,j) ^(γ), g_(1,0)=g₁ ^(1/(γ+s) ⁰⁾, g_(2,0)=g₂ ^(1/(γ+s) ⁰ ⁾ and, for j>0, g_(1,j)=g_(1,j-1) ^(1/(γ+s)^(j) ⁾ and g_(2,j)=g_(2,j-1) ^(1/(γ+s) ^(j) ⁾, wherein a second secretkey includes an integer ok between 0 and p−1 such that v=u^(ok), whereina third secret key includes an integer tk between 0 and p−1 such thath_(j)=g_(2,j) ^(tk), wherein a private key of a member of a signer grouphas a component representative of an integer x_(i) between 0 and p−1and, for each period of index j, a component representative of anelement A_(i,j) of the group G₁ such thatA_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i) ^(−s) ^(n) ⁾ for any index nbetween 1 and j, the cryptographic method comprising a signatureprocedure in which said member of the signer group obtains a signaturefor a message during a period of index j≧0, by executing on a processorthe steps of: choosing two integers α and β between 0 and p−1;calculating elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the group G₁;calculating an element S₁=g_(2,j) ^(β) of the group G₂; calculating anelement S₂=e(A_(i,j), h_(j))^(β) of the group G_(T); calculating, as afunction of the message, proof data confirming that the elements T₁, T₂,S₁ and S₂ are correctly formed with knowledge of the private key of themember of the signer group for the period of index j; and including theelements T₁, T₂, S₁, S₂ and the proof data in the signature of themessage.
 2. The cryptographic method of claim 1, wherein the elementA_(i,0) of the private key of said member for the period of index j=0 isequal to g₁ ^(1/(γ+x) ^(i) ⁾.
 3. The cryptographic method of claim 2,wherein the proof data comprise a zero-knowledge proof of knowledge of aquintuplet (x_(i), z, α, β, δ) where z=x_(i)·α and δ=α·β such that:T ₁ =u ^(α);e(T ₂ ,g _(2,j))^(x) ^(i) ·e(v,w _(j))^(−α) ·e(v,g _(2,j))^(−z) =e(g_(1,j) ,g _(2,j))/e(T ₂ ,w _(j));T ₁ ^(β) =u ^(δ);S ₁ =g _(2,j) ^(β); ande(T ₂ ,h _(j))^(β) =S ₂ ·e(v,h _(j))^(δ).
 4. The cryptographic method ofclaim 1, further comprising a procedure for registering members with asupervisory authority holding the secret first key, wherein the privatekey of a member of a signer group further has a component representativeof another integer y_(i) between 0 and p−1, wherein registration of saidmember of the signer group comprises: selecting, by said member, theinteger y_(i) between 0 and p−1; calculating, by said member, an elementt_(i)=v^(x) ^(i) of the group G₁; sending the element t_(i) from saidmember to the supervisory authority; selecting, by the supervisoryauthority, the integer x_(i) between 0 and p−1; calculating, by thesupervisory authority, the element A_(i,0)=(g₁, t_(i))^(1/(γ+x) ^(i) ⁾of the group G₁; and sending the integer x_(i) and the element A_(i,0)from the supervisory authority to said member.
 5. The cryptographicmethod of claim 4, wherein the proof data comprise a zero-knowledgeproof of knowledge of a sextuplet (x_(i), y_(i), z, α, β, δ) wherez=x_(i)·α and δ=α·β such that:T ₁ =u ^(α);e(T ₂ ,g _(2,j))^(x) ^(i) ·e(v,w _(j))^(−α−y) ^(i) ·e(v,g _(2,j))^(−z)=e(g _(1,j) ,g _(2,j))/e(T ₂ ,w _(j));T ₁ ^(β) =u ^(δ);S ₁ =g _(2,j) ^(β); ande(T ₂ ,h _(j))^(β) =S ₂ ·e(v,h _(j))^(δ).
 6. The cryptographic method ofclaim 1, further comprising a procedure for revoking members of thesigner group by an authority holding the third secret key andmaintaining an updated revocation list applicable to a current periodand comprising k−1 elements of the group G₁ after revocation of k−1members of the signer group, where k is an integer at least equal to 1,wherein revocation during a period of index j′ of a k^(th) member of thesigner group for whom the private key contains an element A_(i(k),j′) ofthe group G₁ for the period of index j′ comprises adding an elementgrt[i(k), j′]=A_(i(k),j′) ^(tk) of the group G₁ to the revocation listapplicable to the period of index j′.
 7. The cryptographic method ofclaim 6, further comprising a procedure for modifying the revocationlist by an authority holding the first secret key, at each change ofperiod in the time subdivision, wherein modifying the revocation listwhen advancing from a period of index j″−1 to the next period of indexj″ for an integer j″≧1 comprises, for any element grt[i(l), j″−1] of thegroup G₁ belonging to the revocation list applicable to the period ofindex j″−1, including the element grt[i(l), j″]=grt[i(l), j″−1]^(1/(γ+s)^(j″) ⁾ of the group G₁ into the revocation list applicable to the nextperiod of index j″.
 8. The cryptographic method of claim 7, furthercomprising a signature verification procedure by an entity holding thepublic key, taking into account the revocation list applicable to asignature period, wherein verifying a signature, including elements T₁,T₂ of the group G₁ and S₁, S₂ of the group G₂ and proof data, attachedto a message and presumed to be obtained during a period of index j,takes into account the revocation list applicable to the period of indexj and comprises the steps of: determining that the signature comes froma member of the signer group if the proof data confirm that the elementsT₁, T₂, S₁ and S₂ are correctly formed as a function of the message withknowledge of a private key valid for the period of index j; andaccepting the signature as coming from a non-revoked member of thesigner group if e(grt[i(l), j], S₁)≠S₂ for any element grt[i(l), j] ofthe revocation list applicable to the period of index j.
 9. Thecryptographic method of claim 1, further comprising a procedure forlifting anonymity of a signer of a message by an authority holding thesecond secret key, wherein lifting anonymity based on a signature of themessage, including elements T₁, T₂ of the group G₁, comprisescalculating an element A=T₂·T₁ ^(−ok) of the group G₁.
 10. Acryptographic device, using a cryptographic scheme based on cyclicgroups G₁, G₂ and G_(T) of order p, two respective generating elementsg₁ and g₂ of the groups G₁ and G₂, and a bilinear map e of G₁×G₂ ontoG_(T), where p indicates a prime number, time being subdivided intosuccessive periods of index j=0, 1, 2, and successive integers, whereina public key has components representative of elements u and v of thegroup G₁ and, for each period of index j, components representative ofan integer s_(j) between 0 and p−1, of an element g_(1,j) of the groupG₁, and of elements g_(2,j), w_(j) and h_(j) of the group G₂, wherein aprivate key of a member of a signer group possessing said cryptographicdevice has a component representative of an integer x_(i) between 0 andp−1 and, for each period of index j, a component representative of anelement A_(i,j) of the group G₁ such thatA_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i) ^(−s) ^(n) ⁾ for any index nbetween 1 and j, the cryptographic device comprising a hardwareprocessor and instructions for obtaining a signature for a messageduring a period of index j≧0, by selecting two integers α and β between0 and p−1, and calculating elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of thegroup G₁, an element S₁=g_(2,j) ^(β) of the group G₂, an elementS₂=e(A_(i,j), h_(j))^(β) of the group G_(T) and, as a function of themessage, proof data confirming that the elements T₁, T₂, S₁ and S₂ arecorrectly formed with knowledge of the private key of the member of thesigner group for the period of index j, the signature of the messageincluding the elements T₁, T₂, S₁, S₂ and the proof data.
 11. Acryptographic device, using a cryptographic scheme based on cyclicgroups G₁, G₂ and G_(T) of order p, two respective generating elementsg₁ and g₂ of the groups G₁ and G₂, and a bilinear map e of G₁×G₂ ontoG_(T), where p indicates a prime number, time being subdivided intosuccessive periods of index j=0, 1, 2, and successive integers, whereina public key has components representative of elements u and v of thegroup G₁ and, for each period of index j, components representative ofan integer s_(j) between 0 and p−1, of an element g_(1,j) of the groupG₁, and of elements g_(2,j), w_(j) and h_(j) of the group G₂, wherein asecret key includes an integer tk between 0 and p−1 such thath_(j)=g_(2,j) ^(tk), wherein a private key of a member of a signer grouphas a component representative of an integer x_(i) between 0 and p−1and, for each period of index j, a component representative of anelement A_(i,j) of the group G₁ such thatA_(i,n)=[A_(i,n-1)/g_(i,n-1)]^(1/(x) ^(i) ^(−s) ^(n) ⁾ for any index nbetween 1 and j, said member of the signer group being able to generatea signature for a message during a period of index j≧0, the signatureincluding elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the group G₁, anelement S₁=g_(2,j) ^(β) of the group G₂, an element S₂=e(A_(i,j),h_(j))^(β) of the group G_(T), and proof data dependent on the messageand confirming that the elements T₁, T₂, S₁ and S₂ were correctly formedwith knowledge of the private key of said member for the period of indexj, α and β being two integers between 0 and p−1 selected by said member,the cryptographic device comprising a hardware processor and revocationmanager instructions for maintaining an updated revocation listapplicable to a current period using said secret key, the revocationmanager instructions comprising calculator instructions for receiving,during a period of index j′, a revocation list comprising k−1≧0 elementsof the group G₁ and a revocation request for a k^(th) member of thesigner group for whom the private key comprises an element A_(i(k),j′)of the group G₁ for the period of index j′, where k is an integer atleast equal to 1, and for producing an updated revocation listapplicable to the period of index j′, to which has been added an elementgrt[i(k), j′]=A_(i(k),j′) ^(tk) of the group G₁.
 12. A cryptographicdevice, using a cryptographic scheme based on cyclic groups G₁, G₂ andG_(T) of order p, two respective generating elements g₁ and g₂ of thegroups G₁ and G₂, and a bilinear map e of G₁×G₂ onto G_(T), where pindicates a prime number, time being subdivided into successive periodsof index j=0, 1, 2, and successive integers, wherein a public key hascomponents representative of elements u and v of the group G₁ and, foreach period of index j, components representative of an integer s_(j)between 0 and p−1, of an element g_(1,j) of the group G₁, and ofelements g_(2,j), w_(j) and h_(j) of the group G₂, wherein a secret keyincludes an integer γ between 0 and p−1 such that w_(j)=g_(2,j) ^(γ),g_(1,0)=g₁ ^(1/(γ+s) ⁰ ⁾, g_(2,0)=g₂ ^(1/(γ+s) ⁰ ⁾ and, for j>0,g_(1,j)=g_(1,j-1) ^(1/(γ+s) ^(j) ⁾ and g_(2,j)=g_(2,j-1) ^(1/(γ+s) ^(j)⁾, wherein a private key of a member of a signer group has a componentrepresentative of an integer x_(i) between 0 and p−1 and, for eachperiod of index j, a component representative of an element A_(i,j) ofthe group G₁ such that A_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i) ^(−s)^(n) ⁾ for any index n between 1 and j, said member of the signer groupbeing able to generate a signature for a message during a period ofindex j≧0, the signature including elements T₁=u^(α) andT₂=A_(i,j)·v^(α) of the group G₁, an element S₁=g_(2,j) ^(β) of thegroup G₂, an element S₂=e(A_(i,j), h_(j))^(β) of the group G_(T), andproof data dependent on the message and confirming that the elements T₁,T₂, S₁ and S₂ were correctly formed with knowledge of the private key ofsaid member for the period of index j, where α and β are two integersbetween 0 and p−1 selected by said member, the cryptographic devicecomprising a hardware processor and revocation list manager instructionsfor forming a revocation list applicable to a new period of index j″using said secret key and based on a revocation list applicable to theprevious period of index j″−1, where j″ is an integer at least equal to1, the revocation list applicable to the new period of index j″comprising a respective element grt[i(l), j″]=grt[i(l), j″−1]^(1/(γ+s)^(j″) ⁾ of the group G₁ for any element grt[i(l), j″−1] of the group G₁belonging to the revocation list applicable to the previous period ofindex j″−1.
 13. A verification device for verifying signatures producedusing a cryptographic scheme based on cyclic groups G₁, G₂ and G_(T) oforder p, two respective generator elements g₁ and g₂ of the groups G₁and G₂, and a bilinear map e of G₁×G₂ onto G_(T), where p indicates aprime number, time being subdivided into successive periods of indexj=0, 1, 2, and successive integers, wherein a public key has componentsrepresentative of elements u and v of the group G₁ and, for each periodof index j, components representative of an integer s_(j) between 0 andp−1, of an element g_(1,j) of the group G₁, and of elements g_(2,j),w_(j) and h_(j) of the group G₂, wherein a private key of a member of asigner group (2) has a component representative of an integer x_(i)between 0 and p−1 and, for each period of index j, a componentrepresentative of an element A_(i,j) of the group G₁ such thatA_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i) ^(−s) ^(n) ⁾ for any index nbetween 1 and j, said member of the signer group being able to generatea signature for a message during a period of index j≧0, said signatureincluding elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the group G₁, anelement S₁=g_(2,j) ^(β) of the group G₂, an element S₂=e(A_(i,j),h_(j))^(β) of the group G_(T), and proof data dependent on the messageand confirming that the elements T₁, T₂, S₁ and S₂ were correctly formedwith knowledge of the private key of said member for the period of indexj, where α and β are two integers between 0 and p−1 selected by saidmember, the verification device having access to the public key for aperiod of index j as well as to a revocation list applicable to theperiod of index j and composed of k elements grt[i(l), j] of the groupG₁, where k is a non-negative integer, the verification devicecomprising a hardware processor and calculator instructions forreceiving a signature, including elements T₁, T₂ of the group G₁ and S₁,S₂ of the group G₂, and proof data, attached to a message and presumedto be obtained during a period of index j, for determining that saidsignature comes from a member of the signer group if the proof dataconfirm that the elements T₁, T₂, S₁ and S₂ are correctly formed as afunction of the message with knowledge of a private key valid for theperiod of index j, and for accepting the signature as coming from anon-revoked member of the signer group if e(grt[i(l), j], S₁)≠S₂ forevery element grt[i(l), j] of the revocation list applicable to theperiod of index j.
 14. A cryptographic device, using a cryptographicscheme based on cyclic groups G₁, G₂ and G_(T) of order p, tworespective generator elements g₁ and g₂ of the groups G₁ and G₂, and abilinear map e of G₁×G₂ onto G_(T), where p indicates a prime number,time being subdivided into successive periods of index j=0, 1, 2, andsuccessive integers, wherein a public key has components representativeof elements u and v of the group G₁ and, for each period of index j,components representative of an integer s_(j) between 0 and p−1, of anelement g_(1,j) of the group G₁, and elements g_(2,j), w_(j) and h_(j)of the group G₂, wherein a secret key includes an integer ok between 0and p−1 such that v=u^(ok), wherein a private key of a member of asigner group has a component representative of an integer x_(i) between0 and p−1 and, for each period of index j, a component representative ofan element A_(i,j) of the group G₁ such thatA_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i) ^(−s) ^(n) ⁾ for any index nbetween 1 and j, said member of the signer group being able to generatea signature for a message during a period of index j≧0, said signatureincluding elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the group G₁, anelement S₁=g_(2,j) ^(β) of the group G₂, an element S₂=e(A_(i,j),h_(j))^(β) of the group G_(T), and proof data dependent on the messageand confirming that the elements T₁, T₂, S₁ and S₂ were correctly formedwith knowledge of the private key of said member for the period of indexj, where α and β are two integers between 0 and p−1 selected by saidmember, the cryptographic device comprising a hardware processor and ananonymity lifting server using said secret key, for receiving asignature of a message, including elements T₁, T₂ of the group G₁, andproducing an element A=T₂·T₁ ^(−ok) of the group G₁.
 15. Anon-transitory computer-readable medium having a computer program storedthereon for a cryptographic device used by a member of a signer group,the program comprising instructions for executing a signature procedureof a cryptographic method when the program is executed by a processingunit of the cryptographic device, wherein the cryptographic methodcomprises a cryptographic scheme based on cyclic groups G₁, G₂ and G_(T)of order p, two respective generator elements g₁ and g₂ of groups G₁ andG₂, and a bilinear map e of G₁×G₂ onto G_(T), where p indicates a primenumber, time being subdivided into successive periods of index j=0, 1,2, and successive integers, wherein a public key of the cryptographicscheme has components representative of elements u and v of the group G₁and, for each period of index j, components representative of an integers_(j) between 0 and p−1, of an element g_(1,j) of the group G₁, and ofelements g_(2,j), w_(j) and h_(j) of the group G₂, wherein a firstsecret key of the cryptographic scheme includes an integer γ between 0and p−1 such that w_(j)=g_(2,j) ^(γ), g_(1,0)=g₁ ^(1/(γ+s) ⁰ ⁾,g_(2,0)=g₂ ^(1/(γ+s) ⁰ ⁾ and, for j>0, g_(1,j)=g_(1,j-1) ^(1/(γ+s) ^(j)⁾ and g_(2,j)=g_(2,j-1) ^(1/(γ+s) ^(j) ⁾, wherein a second secret key ofthe cryptographic scheme includes an integer ok between 0 and p−1 suchthat v=u^(ok), wherein a third secret key of the cryptographic schemeincludes an integer tk between 0 and p−1 such that h_(j)=g_(2,j) ^(tk),wherein a private key of said member of the signer group has, in thecryptographic scheme, a component representative of an integer x_(i)between 0 and p−1 and, for each period of index j, a componentrepresentative of an element A_(i,j) of the group G₁ such thatA_(i,n)=[A_(i,n-1)/g_(i,n-1)]^(1/(x) ^(i) ^(−s) ^(n) ⁾ for index nbetween 1 and or any j, wherein the signature procedure comprisesobtaining a signature for a message during a period of index j≧0, by:choosing two integers α and β between 0 and p−1; calculating elementsT₁=u^(α) and T₂=A_(i,j)·v^(α) of the group G₁; calculating an elementS₁=g_(2,j) ^(β) of the group G₂; calculating an element S₂=e(A_(i,j),h_(j))^(β) of the group G_(T); calculating, as a function of themessage, proof data confirming that the elements T₁, T₂, S₁ and S₂ arecorrectly formed with knowledge of the private key of the member of thesigner group for the period of index j; and including the elements T₁,T₂, S₁, S₂ and the proof data in the signature of the message.
 16. Anon-transitory computer-readable medium having a computer program storedthereon for a cryptographic unit used by a revocation authority forrevoking membership from a signer group, the program comprisinginstructions for executing a revocation procedure of a cryptographicmethod when the program is executed by a processing unit of thecryptographic unit, wherein the cryptographic method comprises acryptographic scheme based on cyclic groups G₁, G₂ and G_(T) of order p,two respective generator elements g₁ and g₂ of groups G₁ and G₂, and abilinear map e of G₁×G₂ onto G_(T), where p indicates a prime number,time being subdivided into successive periods of index j=0, 1, 2, andsuccessive integers, wherein a public key of the cryptographic schemehas components representative of elements u and v of the group G₁ and,for each period of index j, components representative of an integers_(j) between 0 and p−1, of an element g_(1,j) of the group G₁, and ofelements g_(2,j), w_(j) and h_(j) of the group G₂, wherein a firstsecret key of the cryptographic scheme includes an integer γ between 0and p−1 such that w_(j)=g_(2,j) ^(γ), g_(1,0)=g₁ ^(1/(γ+s) ⁰ ⁾,g_(2,0)=g₂ ^(1/(γ+s) ⁰ ⁾ and, for j>0, g_(1,j)=g_(1,j-1) ^(1/(γ+s) ^(j)⁾ and g_(2,j)=g_(2,j-1) ^(1/(γ+s) ^(j) ⁾, wherein a second secret key ofthe cryptographic scheme includes an integer ok between 0 and p−1 suchthat v=u^(ok), wherein a third secret key of the cryptographic scheme isheld by the revocation authority and includes an integer tk between 0and p−1 such that h_(j)=g_(2,j) ^(tk), wherein a private key of a memberof a signer group has, in the cryptographic scheme, a componentrepresentative of an integer x_(i) between 0 and p−1 and, for eachperiod of index j, a component representative of an element A_(i,j) ofthe group G₁ such that A_(i,n)=[A_(i,n-1)/g_(i,n-1)]^(1/(x) ^(i) ^(−s)^(n) ⁾ for any index n between 1 and j, the cryptographic method furthercomprising a signature procedure in which said member of the signergroup obtains a signature for a message during a period of index j≧0, byexecuting the steps of: choosing two integers α and β between 0 and p−1;calculating elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the group G₁;calculating an element S₁=g_(2,j) ^(β) of the group G₂; calculating anelement S₂=e(A_(i,j), h_(j))^(β) of the group G_(T); calculating, as afunction of the message, proof data confirming that the elements T₁, T₂,S₁ and S₂ are correctly formed with knowledge of the private key of themember of the signer group for the period of index j; and including theelements T₁, T₂, S₁, S₂ and the proof data in the signature of themessage, wherein the revocation procedure is for maintaining an updatedrevocation list applicable to a current period and comprising k−1elements of the group G₁ after revocation of k−1 members of the signergroup, where k is an integer at least equal to 1, and wherein therevocation procedure comprises, for revoking during a period of index j′a k^(th) member of the signer group for whom the private key contains anelement A_(i(k),j′) of the group G₁ for the period of index j′, addingan element grt[i(k), j′]=A_(i(k),j′) ^(tk) of the group G₁ to therevocation list applicable to the period of index j′.
 17. Anon-transitory computer-readable medium having a computer program storedthereon for a cryptographic unit used by a revocation list modificationauthority for modifying a revocation list of members of a signer group,the program comprising instructions for a revocation list modificationprocedure of a cryptographic method when the program is executed by aprocessing unit of the cryptographic unit, wherein the cryptographicmethod comprises a cryptographic scheme based on cyclic groups G₁, G₂and G_(T) of order p, two respective generator elements g₁ and g₂ ofgroups G₁ and G₂, and a bilinear map e of G₁×G₂ onto G_(T), where pindicates a prime number, time being subdivided into successive periodsof index j=0, 1, 2, and successive integers, wherein a public key of thecryptographic scheme has components representative of elements u and vof the group G₁ and, for each period of index j, componentsrepresentative of an integer s_(j) between 0 and p−1, of an elementg_(1,j) of the group G₁, and of elements g_(2,j), w_(j) and h_(j) of thegroup G₂, wherein a first secret key of the cryptographic scheme is heldby the revocation list modification authority and includes an integer γbetween 0 and p−1 such that w_(j)=g_(2,j) ^(γ), g_(1,0)=g₁ ^(1/(γ+s) ⁰⁾, g_(2,0)=g₂ ^(1/(γ+s) ⁰ ⁾ and, for j>0, g_(1,j)=g_(1,j-1) ^(1/(γ+s)^(j) ⁾ and g_(2,j)=g_(2,j-1) ^(1/(γ+s) ^(j) ⁾, wherein a second secretkey of the cryptographic scheme includes an integer ok between 0 and p−1such that v=u^(ok), wherein a third secret key of the cryptographicscheme is held by a revocation authority and includes an integer tkbetween 0 and p−1 such that h_(j)=g_(2,j) ^(tk), wherein a private keyof a member of a signer group has, in the cryptographic scheme, acomponent representative of an integer x_(i) between 0 and p−1 and, foreach period of index j, a component representative of an element A_(i,j)of the group G₁ such that A_(i,n)=[A_(i,n-1)/g_(i,n-1)]^(1/(x) ^(i)^(−s) ^(n) ⁾ for any index n between 1 and j, the cryptographic methodfurther comprising a signature procedure in which said member of thesigner group obtains a signature for a message during a period of indexj≧0, by executing the steps of: choosing two integers α and β between 0and p−1; calculating elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the groupG₁; calculating an element S₁=g_(2,j) ^(β) of the group G₂; calculatingan element S₂=e(A_(i,j), h_(j))^(β) of the group G_(T); calculating, asa function of the message, proof data confirming that the elements T₁,T₂, S₁ and S₂ are correctly formed with knowledge of the private key ofthe member of the signer group for the period of index j; and includingthe elements T₁, T₂, S₁, S₂ and the proof data in the signature of themessage, the cryptographic method further comprising a procedure forrevoking members of the signer group by the revocation authority andmaintaining an updated revocation list applicable to a current periodand comprising k−1 elements of the group G₁ after revocation of k−1members of the signer group, where k is an integer at least equal to 1,wherein revocation during a period of index j′ of a k^(th) member of thesigner group for whom the private key contains an element A_(i(k),j′) ofthe group G₁ for the period of index j′ comprises adding an elementgrt[i(k), j′]=A_(i(k),j′) ^(tk) of the group G₁ to the revocation listapplicable to the period of index j′, wherein the revocation listmodification procedure is for modifying the revocation list by therevocation list modification authority at each change of period in thetime subdivision, wherein modifying the revocation list when advancingfrom a period of index j″−1 to the next period of index j″ for aninteger j″≧1 comprises, for any element grt[i(l), j″−1] of the group G₁belonging to the revocation list applicable to the period of index j″−1,including the element grt[i(l), j″]=grt[i(l), j″−1]^(1/(γ+s) ^(j″) ⁾ ofthe group G₁ into the revocation list applicable to the next period ofindex j″.
 18. A non-transitory computer-readable medium having acomputer program stored thereon for a signature verification device, theprogram comprising instructions for executing a signature verificationprocedure of a cryptographic method when the program is executed by aprocessing unit of the verification device, wherein the cryptographicmethod comprises a cryptographic scheme based on cyclic groups G₁, G₂and G_(T) of order p, two respective generator elements g₁ and g₂ ofgroups G₁ and G₂, and a bilinear map e of G₁×G₂ onto G_(T), where pindicates a prime number, time being subdivided into successive periodsof index j=0, 1, 2, and successive integers, wherein a public key of thecryptographic scheme is accessible to the verification device and hascomponents representative of elements u and v of the group G₁ and, foreach period of index j, components representative of an integer s_(j)between 0 and p−1, of an element g_(1,j) of the group G₁, and ofelements g_(2,j), w_(j) and h_(j) of the group G₂, wherein a firstsecret key of the cryptographic scheme is held by a revocation listmodification authority and includes an integer γ between 0 and p−1 suchthat w_(j)=g_(2,j) ^(γ), g_(1,0)=g₁ ^(1/(γ+s) ⁰ ⁾, g_(2,0)=g₂ ^(1/(γ+s)⁰ ⁾ and, for j>0, g_(1,j)=g_(1,j-1) ^(1/(γ+s) ^(j) ⁾ andg_(2,j)=g_(2,j-1) ^(1/(γ+s) ^(j) ⁾, wherein a second secret key of thecryptographic scheme includes an integer ok between 0 and p−1 such thatv=u^(ok), wherein a third secret key of the cryptographic scheme is heldby a revocation authority and includes an integer tk between 0 and p−1such that h_(j)=g_(2,j) ^(tk), wherein a private key of a member of asigner group has, in the cryptographic scheme, a componentrepresentative of an integer x_(i) between 0 and p−1 and, for eachperiod of index j, a component representative of an element A_(i,j) ofthe group G₁ such that A_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i) ^(−s)^(n) ⁾ for any index n between 1 and j, the cryptographic method furthercomprising a signature procedure in which said member of the signergroup obtains a signature for a message during a period of index j≧0, byexecuting the steps of: choosing two integers α and β between 0 and p−1;calculating elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the group G₁;calculating an element S₁=g_(2,j) ^(β) of the group G₂; calculating anelement S₂=e(A_(i,j), h_(j))^(β) of the group G_(T); calculating, as afunction of the message, proof data confirming that the elements T₁, T₂,S₁ and S₂ are correctly formed with knowledge of the private key of themember of the signer group for the period of index j; and including theelements T₁, T₂, S₁, S₂ and the proof data in the signature of themessage, the cryptographic method further comprising a procedure forrevoking members of the signer group by the revocation authority andmaintaining an updated revocation list applicable to a current periodand comprising k−1 elements of the group G₁ after revocation of k−1members of the signer group, where k is an integer at least equal to 1,wherein revocation during a period of index j′ of a k^(th) member of thesigner group for whom the private key contains an element A_(i(k),j′) ofthe group G₁ for the period of index j′ comprises adding an elementgrt[i(k), j′]=A_(i(k),j′) ^(tk) of the group G₁ to the revocation listapplicable to the period of index j′, the cryptographic method furthercomprising a revocation list modification procedure for modifying therevocation list by the revocation list modification authority at eachchange of period in the time subdivision, wherein modifying therevocation list when advancing from a period of index j″−1 to the nextperiod of index j″ for an integer j″≧1 comprises, for any elementgrt[i(l), j″−1] of the group G₁ belonging to the revocation listapplicable to the period of index j″−1, including the element grt[i(l),j″]=grt[i(l), j″−1]^(1/(γ+s) ^(j″) ⁾ of the group G₁ into the revocationlist applicable to the next period of index j″, wherein the signatureverification procedure is for verifying a signature, including elementsT₁, T₂ of the group G₁ and S₁, S₂ of the group G₂ and proof data,attached to a message and presumed to be obtained during a period ofindex j, takes into account the revocation list applicable to the periodof index j and comprises: determining that the signature comes from amember of the signer group if the proof data confirm that the elementsT₁, T₂, S₁ and S₂ are correctly formed as a function of the message withknowledge of a private key valid for the period of index j; andaccepting the signature as coming from a non-revoked member of thesigner group if e(grt[i(l), j], S₁)≠S₂ for any element grt[i(l), j] ofthe revocation list applicable to the period of index j.
 19. Anon-transitory computer-readable medium having a computer program storedthereon for a cryptographic unit used by an anonymity lifting authorityfor lifting anonymity of a signer of a message, the program comprisinginstructions for executing an anonymity lifting procedure of acryptographic method when the program is executed by a processing unitof the cryptographic unit, wherein the cryptographic method comprises acryptographic scheme based on cyclic groups G₁, G₂ and G_(T) of order p,two respective generator elements g₁ and g₂ of groups G₁ and G₂, and abilinear map e of G₁×G₂ onto G_(T), where p indicates a prime number,time being subdivided into successive periods of index j=0, 1, 2, andsuccessive integers, wherein a public key of the cryptographic schemehas components representative of elements u and v of the group G₁ and,for each period of index j, components representative of an integers_(j) between 0 and p−1, of an element g_(1,j) of the group G₁, and ofelements g_(2,j), w_(j) and h_(j) of the group G₂, wherein a firstsecret key of the cryptographic scheme includes an integer γ between 0and p−1 such that w_(j)=g_(2,j) ^(γ), g_(1,0)=g₁ ^(1/(γ+s) ⁰ ⁾,g_(2,0)=g₂ ^(1/(γ+s) ⁰ ⁾ and, for j>0, g_(1,j)=g_(1,j-1) ^(1/(γ+s) ^(j)⁾ and g_(2,j)=g_(2,j-1) ^(1/(γ+s) ^(j) ⁾, wherein a second secret key ofthe cryptographic scheme is held by the anonymity lifting authority andincludes an integer ok between 0 and p−1 such that v=u^(ok), wherein athird secret key of the cryptographic scheme includes an integer tkbetween 0 and p−1 such that h_(j)=g_(2,j) ^(tk), wherein a private keyof a member of a signer group has, in the cryptographic scheme, acomponent representative of an integer x_(i) between 0 and p−1 and, foreach period of index j, a component representative of an element A_(i,j)of the group G₁ such that A_(i,n)=[A_(i,n-1)/g_(1,n-1)]^(1/(x) ^(i)^(−s) ^(n) ⁾ for any index n between 1 and j, the cryptographic methodfurther comprising a signature procedure in which said member of thesigner group obtains a signature for a message during a period of indexj≧0, by executing the steps of: choosing two integers α and β between 0and p−1; calculating elements T₁=u^(α) and T₂=A_(i,j)·v^(α) of the groupG₁; calculating an element S₁=g_(2,j) ^(β) of the group G₂; calculatingan element S₂=e(A_(i,j), h_(j))^(β) of the group G_(T); calculating, asa function of the message, proof data confirming that the elements T₁,T₂, S₁ and S₂ are correctly formed with knowledge of the private key ofthe member of the signer group for the period of index j; and includingthe elements T₁, T₂, S₁, S₂ and the proof data in the signature of themessage, wherein the anonymity lifting procedure for lifting anonymitybased on a signature including elements T₁, T₂ of the group G₁ comprisescalculating an element A=T₂·T₁ ^(−ok) of the group G₁.